How To: Integrating Azure SaaS Discovery with Reftab

Reftab now offers automatic discovery of who has access to your SaaS platforms by integrating with your Azure instance. In this guide, weโ€™ll give you a step-by-step look at setting this integration up.

Azure Settings

The first step in this process is to setup the initial application for Azure to integrate to Reftab. 

This can be accomplished by logging into your Azure account (, and then clicking on โ€œEnterprise Applicationsโ€ under โ€œAzure servicesโ€.

If you do not see โ€œEnterprise Applicationsโ€, then you will need to click the menu tree in the top left corner, and then click โ€œAll servicesโ€. Here you can search for โ€œEnterprise Applicationsโ€ and star the service so that it can be easily accessed from the landing page.

Once inside the Enterprise Applications page, click โ€œNew applicationโ€, then โ€œCreate your own applicationโ€. Give the application a name, something simple like โ€œReftabโ€ will suffice. Ensure that โ€œIntegrate any other application you donโ€™t find in the gallery (Non-gallery)โ€ is checked. Then press โ€œCreateโ€.

After the creation of the application, take note of the โ€œApplication IDโ€ under the โ€œPropertiesโ€ header in the page you have been brought to, this will be needed later on.

Next the application needs to be granted permissions. In order to do so, navigate to โ€œPermissionsโ€, which can be found under โ€œSecurityโ€. Then click on โ€œapp registrationโ€. Next, click on โ€œAdd a permissionโ€, and then select the โ€œMicrosoft Graphโ€ API.

Select โ€œApplication permissionsโ€ when deciding the type of permission the application requires.

Next, filter by typing in the respective box and search for โ€œApplicationโ€, expand the category and checkmark โ€œApplication.Read.Allโ€.

Next, we will filter once again but for โ€œUserโ€, scroll down until you locate the โ€œUserโ€ category, expand the category, and checkmark โ€œUser.Read.Allโ€.  

Once permissions have been added, click on โ€œGrant admin consent for Default Directoryโ€, then click โ€œYesโ€ on the confirmation popup. Ensure the warning status turn green for both permission nodes once consent is granted.

Next, create a new client secret by navigating to โ€œCertificates & secretsโ€ on the left-hand menu, click โ€œNew client secretโ€, then enter a short description. โ€œReftabโ€ will be adequate. Set your expiration timeframe, the recommended is 180 days by default. Then click โ€œAddโ€ to create the client secret.

Take note of the string under the โ€œValueโ€ column, as it will be needed later.

**This is the only time that this value will be visible**

Last, grab the OAuth 2.0 token endpoint (v2). This can be found by navigating to โ€œOverviewโ€ on the same page, and clicking on โ€œEndpointsโ€. The URL will be the second line item in the screenshot below. Take note of this, as it will also be needed in the next steps.

Reftab Settings

Now that things are setup on the Azure side, log into your Reftab account:

Next, click on โ€œSettingsโ€, then โ€œIntegrationsโ€, then finally click on โ€œConfigureโ€ for Azure SaaS Discovery.

Now input your endpoint url into the โ€œAzure Oauth2 Token Endpointโ€ field. Then input your Application ID into the โ€œClient IDโ€ field, then last input your client secret value into the โ€œClient Secretโ€ field. Next click โ€œSave Azure Settingsโ€. Then click โ€œRefresh Azure Applicationsโ€. Your Azure application will now populate.

..and there you have it! You have successfully integrated Azure SaaS Discovery w/ Reftab! You can now create subsequent applications for each license you would like to have automatically assigned to users in Reftab.

For questions, email โ€˜[email protected]โ€™